Active Information Gathering

// information gathering
for ip in $(seq 50 100); do host 1.2.3.$ip; done | grep -v "not found"
// zone transfer
host -l domain.com ns1.domain.com
dnsrecon -d domain.com -t axfr
dnsrecon -d domain.com -D ~/list.txt -t brt
dnsenum zonetransfer.me
nc -nvv -w 1 -z 1.2.3.4 3388-3390
nc -nv -u -z -w 1 1.2.3.4 160-162

//Accountability for our traffic
sudo iptables -I INPUT 1 -s 1.2.3.4 -j ACCEPT
sudo iptables -I OUTPUT -d 2.3.4.5 -j ACCEPT
// zero out the counters
iptables -Z
iptables -Z TRAFFIC_ACCT
sudo iptables -vn -L
sudo iptables -Z
// stealth /syn scanning
sudo nmap -sS 
// Full TCP connect scan (useful when scanning through Proxies)
nmap -sT
// uDP Scanning (will use the ICMP unreachable)
nmap -sU 
// network sweeping
nmap -v -sn 1.2.3.1-254 -oG ping-sweep.txt
grep Up ping-sweep.txt | cut -d " " -f 2 | head
// look for webservers
nmap -p 80 1.2.3.4-254 -oG web-sweep.txt
nmap -sT -A --top-ports=20 1.2.3.1-254 -oG top-port-sweep.txt
// banner / service grabbing
nmap -sV -sT 1.2.3.4
// nmap scripting engine /NSE locate /use/share/nmap/scripts
nmap --script=smb-os-discovery 1.2.3.4
nmap --script=dns-zone-transfer -p 53 ns1.megacorpone.com
// view information about a script
nmap --script-help dns-zone-transfer
// masscan
sudo masscan -p80 10.11.1.0/24 --rate=1000 -e tap0 --router-ip 10.11.1.1
// SMB enumeration
nmap -v -p 139,445 -oG smb.txt 10.11.1.1-254
sudo nbtscan -r 10.11.1.0/24
// nmap smb nse scripts
ls -la /usr/share/nmap/scripts/smb*
nmap -v -p 139,445 --script=smb-os-discovery 1.2.3.4
nmap -v -p 139.445 --script=smb-vuln-ms08-067 --script-args=unsafe=1 1.2.3.4
// nFS enumeration
// scanning for NFS rpcbind 2049
nmap -sV -p 111 --script=rpcinfo 1.2.3.4-254
// nmap nfs nse scripts
nmap -p 111 --script nfs* 1.2.3.4

sudo mount -o nolock 1.2.3.4:/home ~/home/
sudo adduser pwn 
sudo sed -i -e 's/1001/1014/g' /etc/passwd
su pwn
id

//SMTP enumeration - guess valid usernames
nc -nv ip 25
VRFY root
VRFY idontexist

https://github.com/R0B1NL1N/OSCP-note/blob/master/ENUMERATION/SMTP/smtp-vrfy-from-file

// SNMP enumeration
sudo nmap -sU --open -p 161 1.2.3.1-254 -OG open-snmp.txt
cat > community <<EOF
public
private
manager
EOF
for ip in $(seq 1 254); do echo 10.11.1.$ip; done > ips
onesixtyone -c community -i ips

// Windows SNMP enumeration examples
snmpwalk -c public -v1 -t 10 10.11.1.1
// Enumerating windows users
snmpwalk -c public -v1 10.11.1.1 1.3.6.1.4.1.77.1.2.25
// enumerating running windows processes
snmpwalk -c public -v1 10.11.1.1 1.3.6.1.2.1.25.4.2.1.2
// enumerating open TCP ports
snmpwalk -c public -v1 10.11.1.1 1.3.6.1.2.1.6.13.1.3
// enumerating installed software
snmpwalk -c public -v1 10.11.1.1 1.3.6.1.2.1.25.6.3.1.2

// useful URLs
https://book.hacktricks.xyz/network-services-pentesting/nfs-service-pentesting
https://book.hacktricks.xyz/network-services-pentesting/pentesting-ssh
https://mokacoding.com/blog/how-to-verify-ssh-key-password/
https://gtfobins.github.io/gtfobins/zip/
https://catonmat.net/traffic-accounting-with-iptables
https://raw.githubusercontent.com/openwall/john/bleeding-jumbo/run/ssh2john.py